How to expand certificate with a wildcard subdomain?

Hi,

I searched and found other posts here on this subject, but as I started to deal with ssl deployment now, none of them was clear to me, or what should I do.

Initially I obtained the certificate using the command:

sudo certbot --nginx -d polisoftware.com.br -d www.polisoftware.com.br

So I configured NGINX to use SSL and everything is working correctly.

Now I would like to expand or overwrite this certificate that is already in production with a wildcard domain *.polisoftware.com.br.

I’ve used the eat expand once like this:

sudo certbot certonly --expand -d polisoftware.com.br -d www.polisoftware.com.br -d ns2.polisoftware.com.br

to include ns2.polisoftware.com.br, and it worked correctly.

Researching I saw that I can use a wildcard certificate, so I don’t need to expand every time a new note was needed.

My question is whether I can use this same command to also include *.polisoftware.com.br, something like:

sudo certbot certonly --expand -d polisoftware.com.br -d www.polisoftware.com.br -d ns2.polisoftware.com.br -d ns2
*.polisoftware.com.br

Or should I remove the current certificate and generate a new one? What would be the correct procedure?

Do I need to make any changes to my DNS entries?

Welcome to the Let’s Encrypt Community, Giorgio

You can use this:

sudo certbot run --cert-name polisoftware.com.br -a manual -d polisoftware.com.br,*.polisoftware.com.br -i nginx

No need for all the subdomains as that’s the whole point of a wildcard. This will prompt for manual creation of dns txt records. Once successful, we can work on automation.

You can view your certificates and note the names of old/outdated ones…
sudo certbot certificates

… then delete them
sudo certbot delete --cert-name certificatename

Thanks a lot for the help.

I got it, and the new certificate is already working.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: polisoftware.com.br
    Domains: polisoftware.com.br *.polisoftware.com.br
    Expiry Date: 2020-12-16 20:48:31+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/polisoftware.com.br/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

But when I run the command:

sudo certbot renew --dry-run

I get the following message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/polisoftware.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (polisoftware.com.br) from /etc/letsencrypt/renewal/polisoftware.com.br.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

my /etc/letsencrypt/renewal/polisoftware.com.br.conf file looks like this:

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/polisoftware.com.br
cert = /etc/letsencrypt/live/polisoftware.com.br/cert.pem
privkey = /etc/letsencrypt/live/polisoftware.com.br/privkey.pem
chain = /etc/letsencrypt/live/polisoftware.com.br/chain.pem
fullchain = /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ?????????
authenticator = manual
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

Any idea?

Glad you got your certificate.

Your configuration file looks precisely as expected. Your version of certbot is a bit old (0.40.0 vs 1.8.0), but that shouldn’t hurt anything here.

The renew function of certbot is by its nature “non-interactive”, which means that unless you have scripts setup through the hooks, the manual authentication/acquisition method doesn’t know how to automatically create the dns txt records. This is the biggest sticking point of renewing wildcard certificates (and why I said that once we were successful we could work on automation).

Until automation is accomplished, you can use the following to renew, but you’ll still need to run it manually:
sudo certbot run --cert-name polisoftware.com.br

This will utilize the parameters in the configuration file for the certificate named polisoftware.com.br to acquire and install a certificate.

Now, as far as automation, you could use an API through your DNS provider (e.g. domain registrar) in order to automate the creation and destruction of the DNS TXT records via the hooks. Another option is to create a CNAME from _acme-challenge.polisoftware.com.br to another domain name where you can automate creation of the TXT records. This is the concept behind acme-dns.

Once again I am very grateful for your attention!

I understand the problem, and I’m trying to use the solution you showed at https://github.com/joohoi/acme-dns

But now another problem has appeared, this solution needs to create an NS type record pointing to auth.polisoftware.com.br, but the interface (CPanel) of my domain controller does not give me this option. Only A, AAAA, CAA, CNAME, MX, SRV and TXT records are available.

I posted a issue on:

https://github.com/joohoi/acme-dns/issues/244

to find out if there is anything to get around this

Thank you!

Great !!! It finally worked …

I was trying to run the acme-dns API inside my own server, but I was unable to make the required settings on my domain controller. I think the problem is my controller that does not offer NS records option.

So I decided to try with the API available at https://auth.acme-dns.io. That way I only needed to do a POST at https://auth.acme-dns.io/register to obtain the necessary json to directly use the hook available at https://github.com/koesie10/acme-dns-certbot:

curl -X POST https://auth.acme-dns.io/register

I created an entry in my DNS:
_acme-challenge.polisoftware.com.br. type CNAME pointing to the value that the POST in https://auth.acme-dns.io/register returned in the “fulldomain” field of json.

I created a /etc/acme-dns folder with files:

/etc/acme-dns/acme-dns-certbot-hook
/etc/acme-dns/hook.json

The file acme-dns-certbot-hook can be obtained with the command:

go get github.com/koesie10/acme-dns-certbot-hook
(needs go installed)

The hook.json file must be created with the information obtained from the POST at https://auth.acme-dns.io/register, mine was like this:

{
        "acme_dns_url" : "https://auth.acme-dns.io",
        "propagation_duration" : "10s",
        "domains" : {
                "polisoftware.com.br" : {
                        "allowfrom" : [],
                        "username":"0683e???????????????????36fdd",
                        "password":"qT4h1i????????????????????????????????ZasVUN33iO",
                        "fulldomain":"c5ad???????????????????????????.auth.acme-dns.io",
                        "subdomain":"c5ade?????????????????????cfa8"
                }
        }
}

So I made some changes to the file: /etc/letsencrypt/renewal/polisoftware.com.br.conf that looked like this:

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/polisoftware.com.br
cert = /etc/letsencrypt/live/polisoftware.com.br/cert.pem
privkey = /etc/letsencrypt/live/polisoftware.com.br/privkey.pem
chain = /etc/letsencrypt/live/polisoftware.com.br/chain.pem
fullchain = /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = <YOUR LESTENCRYPT ACC ID>
pref_challs = dns-01,
authenticator = manual
manual_auth_hook = /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
manual_public_ip_logging_ok = yes
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

Now the command:
sudo certbot renew –dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/polisoftware.com.br.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator manual, Installer nginx
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for polisoftware.com.br
dns-01 challenge for polisoftware.com.br
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Running manual-auth-hook command: /etc/acme-dns/acme-dns-certbot-hook -config /etc/acme-dns/hook.json
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/polisoftware.com.br/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/polisoftware.com.br/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Once again thank you very much for showing the way !!!

Perfecto!

You have implemented wildcard certificate automation, my friend. Few who come here successfully achieve this feat!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.